Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selecthard

Which THREE of the following are valid characteristics of a next-generation firewall (NGFW) compared to a traditional stateful firewall? (Choose three.)

Select 3 answers
A.Decryption and inspection of SSL/TLS traffic
B.Application identification regardless of port
C.Support for network address translation (NAT)
D.Support for site-to-site VPNs
E.Integrated intrusion prevention system (IPS)
AnswersA, B, E

NGFWs can decrypt encrypted traffic for inspection.

Why this answer

A is correct because NGFWs can perform SSL/TLS decryption and inspection, allowing them to examine encrypted traffic for threats. Traditional stateful firewalls only inspect packet headers and state information, leaving encrypted payloads unexamined. This capability is critical for detecting malware or data exfiltration hidden in HTTPS sessions.

Exam trap

Cisco often tests the misconception that NAT and VPNs are exclusive to NGFWs, when in fact they are common features of both traditional stateful firewalls and NGFWs.

77
MCQmedium

A company uses Cisco ISE for network access control. They have deployed TrustSec and want to enforce segmentation using Security Group Tags (SGTs). The network team reports that SGTs are not being propagated correctly. Which protocol is responsible for SGT propagation between switches?

A.NETCONF
B.RADIUS
C.CDP
D.SXP
AnswerD

SXP is the protocol designed to exchange SGT mappings between Cisco devices.

Why this answer

Option A is correct because SXP (SGT Exchange Protocol) is used for SGT propagation between devices that do not support inline tagging. Option B is incorrect because RADIUS carries SGT in AV pairs but is not used for switch-to-switch propagation. Option C is incorrect because NETCONF is a management protocol.

Option D is incorrect because CDP is for device discovery, not SGT propagation.

78
MCQhard

A company has a hybrid cloud environment with workloads in AWS and Azure, and an on-premises data center. They use Cisco Tetration for micro-segmentation and Cisco CloudCenter for orchestration. Recently, they deployed a new multi-tier application in AWS: a web tier, an application tier, and a database tier, all across multiple Availability Zones. After deployment, the application is unreachable. The security team reviews Tetration policies and finds that a policy is in place to allow traffic between tiers, but the web tier cannot communicate with the application tier. The Tetration agent status shows all agents are healthy. The administrator checks the AWS security groups and notices that the web tier's security group allows inbound HTTP from 0.0.0.0/0, but the application tier's security group does not allow inbound traffic from the web tier's subnet. The application tier's security group only allows inbound traffic from the on-premises CIDR block in error. The network team requests a fix that does not impact other ongoing audits. What should the administrator do?

A.Redeploy the application using Cisco CloudCenter to ensure proper security group association.
B.Configure Tetration to use 'full enforcement' mode for all policies, which overrides AWS security groups.
C.Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.
D.Remove the Tetration policy for the application tier to allow all traffic.
AnswerC

Correct: This directly fixes the misconfigured security group blocking traffic.

Why this answer

Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.

Exam trap

Cisco often tests the misconception that Tetration's micro-segmentation policies can override or bypass cloud-native security groups, when in fact both layers must be correctly configured for traffic to flow.

How to eliminate wrong answers

Option A is wrong because redeploying the application with Cisco CloudCenter would not fix the existing security group misconfiguration; CloudCenter orchestrates deployment but does not automatically correct security group rules that were manually set or incorrectly applied. Option B is wrong because Tetration's 'full enforcement' mode enforces policies at the host level via agents, but it cannot override or bypass AWS security groups, which are enforced at the hypervisor/network level before traffic reaches the instance. Option D is wrong because removing the Tetration policy would disable micro-segmentation for the application tier, potentially exposing it to unauthorized traffic, and would not address the underlying security group misconfiguration that blocks legitimate inter-tier traffic.

79
MCQmedium

An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?

A.Authorization profile
B.Policy set
C.Profiling policy
D.Authentication policy
AnswerA

Authorization profile contains attributes like VLAN ID, dACL, etc.

Why this answer

The correct answer is A because an Authorization Profile in Cisco ISE defines the enforcement actions to be applied to an endpoint after successful authentication and authorization. When a posture assessment determines an endpoint is non-compliant, the authorization policy can match that condition and return an authorization profile that includes a specific VLAN ID (e.g., quarantine VLAN) via RADIUS attributes such as Tunnel-Private-Group-ID (RFC 2868). This VLAN assignment is a core function of the authorization profile, not of authentication or profiling.

Exam trap

The trap here is that candidates often confuse the role of the Authorization Profile with the Policy Set or Authentication Policy, mistakenly thinking that VLAN assignment is part of the authentication decision rather than a separate authorization action applied after successful authentication.

How to eliminate wrong answers

Option B is wrong because a Policy Set is a container that groups authentication and authorization policies based on conditions like identity source or network device; it does not itself assign VLANs or other enforcement attributes. Option C is wrong because a Profiling Policy is used to identify and classify endpoints based on attributes like MAC OUI or DHCP fingerprint, but it does not enforce network access restrictions such as VLAN assignment. Option D is wrong because an Authentication Policy determines whether a user or device is allowed to access the network (e.g., via credentials or certificate), but it does not define the post-authentication enforcement actions like VLAN placement.

80
MCQhard

A security engineer is configuring a Cisco Firepower Threat Defense (FTD) device managed by FMC. They want to create a rule that blocks access to social media applications regardless of port or protocol. Which policy should be used?

A.Intrusion Policy
B.Prefilter Policy
C.SSL Policy
D.Access Control Policy with Application and URL filtering
AnswerD

Access control policies can include application and URL conditions.

Why this answer

An Access Control Policy with Application and URL filtering is the correct choice because it allows the security engineer to create a rule that blocks social media applications based on application signatures, independent of the port or protocol used. This policy inspects traffic at Layer 7, using the Cisco Firepower application detector database to identify and block applications like Facebook or Twitter even if they use non-standard ports or encryption.

Exam trap

The trap here is that candidates often confuse Prefilter Policy (which is for fast-path or block based on IP/port) with application-level blocking, but Cisco tests that only an Access Control Policy with application filtering can block applications regardless of port or protocol.

How to eliminate wrong answers

Option A is wrong because an Intrusion Policy is designed to detect and prevent network-based attacks using signatures and vulnerabilities, not to block specific applications based on identity. Option B is wrong because a Prefilter Policy operates at Layer 3/4 to fast-path or block traffic based on IP addresses, ports, or protocols, and cannot perform application-level identification to block social media regardless of port. Option C is wrong because an SSL Policy is used to decrypt or inspect encrypted traffic, but it does not contain rules to block applications; application blocking requires an Access Control Policy with application filtering.

81
Matchingmedium

Match each threat type to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to steal sensitive info

Malware that encrypts data for ransom

Distributed attack to overwhelm a service

Attacker intercepts communications

Attack on unknown vulnerability

Why these pairings

These are common cybersecurity threats.

82
Drag & Dropmedium

Drag and drop the steps to configure a Cisco IOS router as a Zone-Based Firewall (ZBF) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First assign interfaces to zones, then create class-map, policy-map, zone-pair, and apply the policy to the zone-pair.

83
Multi-Selectmedium

A security team is evaluating cloud security solutions. Which TWO of the following are core capabilities of a Cloud Access Security Broker (CASB)?

Select 2 answers
A.Provisioning and de-provisioning of cloud resources
B.Container image scanning
C.Shadow IT discovery and visibility
D.Intrusion prevention for virtual machines
E.Data loss prevention (DLP) for cloud applications
AnswersC, E

CASBs provide discovery of unauthorized cloud applications.

Why this answer

Option C is correct because Shadow IT discovery and visibility is a core CASB capability. CASBs discover unsanctioned cloud applications (Shadow IT) by analyzing network traffic logs, API integrations, or proxy data to identify cloud services used without IT approval, providing visibility into usage, risk posture, and user activity.

Exam trap

Cisco often tests the distinction between CASB capabilities (focused on cloud application security, DLP, and Shadow IT) and other security domains like cloud workload protection (CWPP) or cloud infrastructure security, leading candidates to confuse VM or container security features with CASB functions.

84
MCQmedium

A security engineer wants to implement file reputation analysis using Cisco AMP for Endpoints. The policy must block files that are known to be malicious in the cloud and quarantine unknown files for further analysis. Which AMP policy configuration achieves this?

A.Create a policy with File Reputation rules: Malware -> Block, Unknown -> Quarantine.
B.Create a policy with Application Control to block all executables from the internet.
C.Create a policy with File Reputation rules: Malware -> Block, Unknown -> Allow.
D.Create a policy with Custom Detection rules for specific SHA256 hashes only.
AnswerA

This matches the requirement to block known malware and quarantine unknown files.

Why this answer

Option A is correct because 'File reputation' with action 'Block' for Malware and 'Quarantine' for Unknown meets the requirement. Option B is incorrect because 'Allow' for Unknown does not quarantine. Option C is incorrect because 'Custom detection' does not directly address global reputation.

Option D is incorrect because 'Application control' is for allow/block lists, not reputation.

85
MCQeasy

Which security principle ensures that a user or system is granted only the minimum permissions necessary to perform a specific function?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Directly refers to granting minimal necessary permissions.

Why this answer

The principle of least privilege dictates that a user, process, or system should be granted only the minimum permissions necessary to perform a specific function. In Cisco security contexts, this is enforced through features like Role-Based Access Control (RBAC) on Cisco IOS devices, where privilege levels (0-15) are assigned to restrict command access, or via TrustSec Security Group Tags (SGTs) that limit traffic flows to only required resources.

Exam trap

Cisco often tests least privilege by pairing it with 'need-to-know' as a distractor, hoping candidates confuse the data-centric 'need-to-know' with the permission-centric 'least privilege' principle.

How to eliminate wrong answers

Option A is wrong because need-to-know is an access control model that restricts access to data based on the user's requirement to know that information to perform their job, but it does not inherently limit the permissions to the minimum necessary for a function; it focuses on data classification and clearance levels, not on the granularity of permissions. Option C is wrong because separation of duties is a security principle that prevents a single individual from having conflicting responsibilities (e.g., both creating and approving a change), which reduces fraud risk, but it does not address the minimization of permissions for a single function. Option D is wrong because defense in depth is a layered security strategy that uses multiple overlapping controls (e.g., firewalls, IPS, VPNs) to protect assets, but it is not a principle that governs the granularity of permissions assigned to a user or system.

86
Multi-Selectmedium

A company is migrating critical workloads to AWS and wants to ensure secure connectivity between their on-premises network and the VPC. Which TWO actions should be taken to meet this requirement?

Select 2 answers
A.Attach an internet gateway to the VPC and allow all inbound traffic.
B.Configure a security group that allows all traffic from the on-premises network.
C.Provision an AWS Direct Connect connection for a private, dedicated link.
D.Use security groups to allow traffic from the on-premises IP range.
E.Deploy an AWS Site-to-Site VPN connection using IPsec.
AnswersC, E

Direct Connect provides a private, low-latency connection bypassing the internet.

Why this answer

Option C is correct because AWS Direct Connect provides a private, dedicated network link from on-premises to AWS, bypassing the public internet for consistent latency, higher bandwidth, and enhanced security. This meets the requirement for secure connectivity during a critical workload migration.

Exam trap

Cisco often tests the misconception that security groups or network ACLs alone can provide secure connectivity, when in fact they are only access control mechanisms that require an underlying transport (VPN or Direct Connect) to establish the link.

87
MCQeasy

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

A.Cisco Tetration
B.Cisco Firepower
C.Cisco ISE
D.Cisco Cloudlock
AnswerD

Cloudlock provides CSPM and CASB capabilities.

Why this answer

Cisco Cloudlock is the correct answer because it is Cisco's cloud-native cloud security posture management (CSPM) solution. It continuously monitors cloud infrastructure (e.g., AWS, Azure, GCP) for misconfigurations, compliance violations, and security risks, providing automated remediation and visibility into cloud security posture. This directly aligns with the CSPM use case described in the question.

Exam trap

Cisco often tests the distinction between network security products (Firepower, ISE) and cloud-native security tools (Cloudlock), so the trap here is assuming that a well-known network security product like Firepower or ISE can also handle cloud posture management, when in fact CSPM requires a dedicated cloud-integrated solution like Cloudlock.

How to eliminate wrong answers

Option A is wrong because Cisco Tetration is a workload security and micro-segmentation platform for on-premises data centers, not a cloud security posture management tool; it focuses on application dependency mapping and zero-trust segmentation, not cloud configuration monitoring. Option B is wrong because Cisco Firepower is a next-generation firewall (NGFW) and intrusion prevention system (IPS) for network security, not a CSPM solution; it does not provide cloud-native posture assessment or compliance monitoring. Option C is wrong because Cisco ISE (Identity Services Engine) is a network access control (NAC) and policy enforcement platform for on-premises networks, not a cloud security posture management tool; it handles authentication, authorization, and guest access, not cloud configuration auditing.

88
MCQmedium

A company uses Cisco AMP for Endpoints and also deploys Cisco Firepower Next-Generation Firewall (NGFW) with AMP integration. The security team wants to see endpoint detections in the Firepower Management Center (FMC). What must be configured to enable this integration?

A.Enable the AMP integration in the FMC and ensure the AMP cloud account is configured with the correct API credentials.
B.Configure the AMP connectors to send Syslog events to the FMC.
C.Deploy an on-premises AMP console to forward events to FMC.
D.Configure the Firepower NGFW to be the default gateway for the endpoints.
AnswerA

The integration uses API calls between FMC and AMP cloud to exchange threat intelligence.

Why this answer

Option A is correct because the AMP connector must be registered with the AMP cloud, and the FMC must be configured to pull events via API. Option B is wrong because the firewall does not need to be the default gateway. Option C is wrong because Syslog is not the primary method; API integration is used.

Option D is wrong because the AMP cloud account is already used; the issue is registration.

89
MCQhard

A network administrator has configured the above on a Cisco switch port for a device that supports both MAB and 802.1X. The device sends an EAPOL-start but the switch responds with an EAP-Request/Identity. The device does not respond to the EAP-Request/Identity. After a timeout, the switch attempts MAB. However, MAB also fails because the RADIUS server does not have the MAC address. Which of the following best describes the final port state?

A.The port will be placed in a critical authentication VLAN
B.The port will be error-disabled due to authentication failure
C.The port will remain in an unauthorized state, blocking all traffic
D.The port will be placed in VLAN 10 with restricted access
AnswerC

With auto port control, failed auth results in unauthorized state.

Why this answer

When 802.1X authentication fails because the device does not respond to the EAP-Request/Identity, and MAB also fails because the RADIUS server lacks the MAC address, the switch port remains in an unauthorized state. This is the default behavior for a port configured with both authentication methods: if neither succeeds, the port stays in the 802.1X unauthorized state, blocking all traffic until a successful authentication occurs or a fallback action (like a critical VLAN) is explicitly configured.

Exam trap

Cisco often tests the distinction between authentication failure and RADIUS server unavailability, where candidates mistakenly assume a guest VLAN or critical VLAN is automatically applied, but these require explicit configuration and are not default behaviors.

How to eliminate wrong answers

Option A is wrong because a critical authentication VLAN is only used when the RADIUS server is unreachable, not when authentication fails due to a missing MAC address or unresponsive client. Option B is wrong because authentication failure does not cause an error-disabled state; error-disable typically results from port security violations or other physical-layer issues, not from 802.1X or MAB failure. Option D is wrong because VLAN 10 is the configured guest VLAN, which would only be applied if the switch were configured to use a guest VLAN as a fallback for failed authentication, but the scenario does not mention any guest VLAN configuration, and the port remains unauthorized by default.

90
MCQhard

A security team is troubleshooting an incident where a compromised application running in a Kubernetes cluster on AWS EKS is being used to exfiltrate data to an external IP. They have deployed Cisco Secure Workload. How would the agent on the container report the exfiltration attempt?

A.By creating a violation for a policy that denies egress to unknown IPs
B.By generating a syslog alert for outbound traffic
C.By sending a NetFlow export to the controller
D.By blocking the traffic automatically and terminating the pod
AnswerA

Policy violation is the standard reporting mechanism.

Why this answer

Cisco Secure Workload uses a policy-based enforcement model where agents enforce micro-segmentation rules. When a container attempts egress to an external IP not permitted by an explicit allow policy, the agent creates a violation event for the deny rule that blocks unknown destinations. This violation is the primary reporting mechanism for policy violations, including exfiltration attempts.

Exam trap

Cisco often tests the distinction between reporting mechanisms (violation events) and data-plane telemetry (NetFlow, syslog), expecting candidates to know that Secure Workload's primary incident reporting is through policy violation events, not traditional logging or flow exports.

How to eliminate wrong answers

Option B is wrong because Cisco Secure Workload does not rely on syslog for reporting policy violations; it uses its own violation event system and API, not generic syslog alerts. Option C is wrong because NetFlow is a flow-level telemetry protocol used for traffic analysis, not for reporting policy violations; Secure Workload agents do not export NetFlow to the controller. Option D is wrong because Secure Workload can enforce policies to block traffic, but it does not automatically terminate pods; that action would require integration with Kubernetes admission controllers or separate automation.

91
MCQmedium

A company has deployed Cisco AnyConnect VPN for remote access. They want to enforce that only company-managed devices with compliant antivirus and disk encryption can connect. Which solution should be added to the ASA?

A.Cisco Identity Services Engine (ISE) with posture assessment
B.Cisco Firepower Threat Defense (FTD) with intrusion policy
C.Cisco Umbrella with DNS filtering
D.Cisco Stealthwatch with NetFlow
AnswerA

ISE performs posture checks to ensure devices meet compliance requirements.

Why this answer

Cisco ISE with posture assessment is the correct solution because it integrates with the ASA to enforce endpoint compliance before granting VPN access. Posture assessment checks for specific conditions such as antivirus status, disk encryption, and OS patch levels, ensuring only company-managed devices that meet security policies can connect via AnyConnect.

Exam trap

Cisco often tests the distinction between network security controls (like IPS, DNS filtering, or flow analysis) and endpoint compliance enforcement, leading candidates to confuse a posture assessment requirement with a general security appliance.

How to eliminate wrong answers

Option B is wrong because Firepower Threat Defense (FTD) with intrusion policy focuses on network-based threat detection and prevention (e.g., IPS/IDS), not on endpoint compliance checks like antivirus or disk encryption. Option C is wrong because Cisco Umbrella with DNS filtering provides cloud-delivered security by blocking malicious domains and enforcing web policies, but it does not assess the posture of the connecting device. Option D is wrong because Cisco Stealthwatch with NetFlow is used for network visibility and anomaly detection through flow analysis, not for enforcing endpoint security requirements like antivirus or encryption.

92
MCQhard

An engineer is troubleshooting an IPsec VPN between two Cisco routers. The tunnel is up, but traffic is not passing. The encryption domain on both sides is correctly configured. What is the most likely cause?

A.Mismatched IPSec transform sets
B.Routing loop
C.ACL on the WAN interface blocking ESP traffic
D.Mismatched IKE phase 1 parameters
AnswerC

ESP traffic (IP protocol 50) may be dropped by an inbound or outbound ACL.

Why this answer

When the IPsec tunnel is up but no traffic passes, the most common cause is that the WAN interface ACL is blocking ESP (protocol 50) or UDP/4500 (NAT-T) traffic. Even though IKE and IPsec SAs are established, if the ACL drops the encrypted packets, the tunnel appears operational but cannot forward data. This is distinct from transform set or IKE mismatches, which would prevent the tunnel from coming up at all.

Exam trap

Cisco often tests the distinction between tunnel establishment (IKE phase 1 and 2) and data-plane forwarding, tricking candidates into thinking a tunnel being 'up' guarantees traffic flow, when in fact ACLs or firewall rules can block the encrypted payload.

How to eliminate wrong answers

Option A is wrong because mismatched IPsec transform sets would prevent the IPsec SAs from being established, causing the tunnel to fail or not come up, not remain up with no traffic. Option B is wrong because a routing loop would cause traffic to be forwarded in a cycle, not simply stop passing; the tunnel being up indicates the routers can communicate, but a loop would manifest as high CPU or TTL expiration, not a silent traffic drop. Option D is wrong because mismatched IKE phase 1 parameters (e.g., encryption, hash, DH group) would prevent IKE phase 1 from completing, so the tunnel would never reach an 'up' state.

93
MCQhard

A financial services company recently migrated from a legacy web filter to Cisco WSA in explicit proxy mode. The company has 5000 users across three offices, each connected via MPLS. The WSA is deployed in the data center. A week after deployment, users in the remote office report that web pages load extremely slowly, while users in the main office near the data center experience normal speeds. The network team confirms there is no WAN congestion. The WSA administrator checks the logs and sees that the remote users are being authenticated via NTLM and that the WSA's CPU and memory usage are below 50%. However, the number of concurrent connections from the remote office is very high, with many connections in a TIME_WAIT state. What is the most likely cause of the slow web performance for remote users?

A.The WSA's proxy process is overloaded due to high SSL decryption demands.
B.Remote users are using an outdated browser that does not support modern protocols.
C.The WSA is not configured to reuse TCP connections, causing high connection overhead for remote users.
D.NTLM authentication is causing authentication delays over the MPLS link.
AnswerC

Connection reuse reduces latency.

Why this answer

The correct answer is C because the high number of concurrent connections in TIME_WAIT state indicates that TCP connections are being closed after each request instead of being reused. In explicit proxy mode, the WSA can reuse persistent connections to reduce latency, but if connection reuse is not configured, each HTTP request from a remote user requires a new TCP handshake, which adds significant round-trip time (RTT) over the MPLS link. This overhead explains the slow performance for remote users while main office users, with lower latency, are unaffected.

Exam trap

The trap here is that candidates often attribute slow performance to authentication delays (NTLM) or SSL decryption, but the key clue is the high number of TIME_WAIT connections, which points to TCP connection overhead rather than authentication or encryption processing.

How to eliminate wrong answers

Option A is wrong because the WSA's CPU and memory usage are below 50%, and the issue is not related to SSL decryption demands; the logs show NTLM authentication, not SSL-related problems. Option B is wrong because outdated browser support would cause compatibility issues, not a sudden increase in TIME_WAIT connections and connection overhead after a migration. Option D is wrong because NTLM authentication occurs once per session and does not cause a high number of concurrent connections in TIME_WAIT state; authentication delays would manifest as slow initial logins, not persistent slow page loads.

94
MCQhard

A security analyst is investigating a malware incident on an endpoint protected by Cisco AMP for Endpoints. The Device Trajectory shows that a file named 'invoice.exe' was detonated from a USB drive. The file's cloud verdict was 'Unknown' at the time of execution. The analyst sees that the file spawned multiple child processes that made outbound connections to a malicious IP. The AMP policy has 'Exploit Prevention' enabled but 'File Reputation' is set to 'Monitor' only. The analyst wants to prevent similar incidents in the future without blocking legitimate applications. Which action should the analyst recommend?

A.Block all execution of applications from removable media via Group Policy.
B.Enable all Exploit Prevention rules, including those for script-based attacks.
C.Add the SHA256 hash of 'invoice.exe' to the global blacklist.
D.Change the File Reputation setting to 'Block' for files with 'Unknown' disposition.
AnswerD

Prevents execution of unknown files while allowing known good files.

Why this answer

Option B is correct because setting File Reputation to 'Block' would have prevented execution of 'Unknown' files like invoice.exe. However, this might block legitimate unknown files. Option A (blocking USB execution) is too restrictive.

Option C (enabling more exploit prevention rules) would not have stopped this file because it was malware, not an exploit. Option D (adding file hash to blacklist) is reactive and not proactive.

95
MCQhard

A network administrator is configuring Cisco Umbrella for web security. They want to ensure that all DNS requests from branch offices are sent to Umbrella for policy enforcement, but they have limited control over the branch routers. What is the most effective deployment method?

A.Deploy the Umbrella roaming client on endpoints
B.Set up a transparent proxy on the branch routers
C.Configure Umbrella as DNS forwarder on the branch routers
D.Use PAC files on the clients to redirect web traffic
AnswerA

Endpoints send DNS directly to Umbrella, no network changes needed.

Why this answer

The Umbrella roaming client (Option A) is the most effective method because it can be deployed on endpoints to redirect all DNS queries to Umbrella's cloud resolvers, regardless of branch router configuration. This client works at the OS level, intercepting DNS traffic and enforcing policies even when the network path is uncontrolled, making it ideal for scenarios with limited router access.

Exam trap

Cisco often tests the misconception that DNS forwarding or proxy configurations on routers are always the best approach, but the trap here is that the question explicitly states 'limited control over branch routers,' making endpoint-based solutions like the roaming client the only viable option for comprehensive DNS security enforcement.

How to eliminate wrong answers

Option B is wrong because setting up a transparent proxy on branch routers requires administrative control over those routers, which contradicts the constraint of limited control. Option C is wrong because configuring Umbrella as a DNS forwarder on branch routers also demands router-level configuration, and it only redirects DNS traffic, not all web traffic, potentially missing HTTP/HTTPS policy enforcement. Option D is wrong because PAC files only redirect web traffic for browsers that support them, leaving non-browser applications and DNS queries unaffected, and they require client-side configuration that may not be feasible in a limited-control environment.

96
MCQmedium

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

A.Cisco Umbrella
B.Cisco WAF (Web Application Firewall)
C.Cisco Firepower NGFW
D.Cisco Stealthwatch
AnswerB

Cisco WAF protects web applications from application-layer DDoS attacks.

Why this answer

A Web Application Firewall (WAF) is the correct solution because it specifically inspects and filters HTTP/HTTPS traffic at the application layer (Layer 7), protecting against DDoS attacks such as HTTP floods, SQL injection, and cross-site scripting. Cisco WAF (often delivered via Cisco Secure Web Application or integrated with AWS WAF) can rate-limit requests, block malicious payloads, and enforce positive security models to mitigate application-layer DDoS. This directly addresses the requirement to protect a web application migrating to AWS against Layer 7 attacks.

Exam trap

The trap here is that candidates often confuse a network-layer DDoS mitigation solution (like Firepower NGFW or Umbrella) with an application-layer WAF, failing to recognize that only a WAF provides the deep HTTP inspection and rate-limiting needed for Layer 7 attacks.

How to eliminate wrong answers

Option A is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that protects against malicious domains and phishing, but it does not inspect application-layer HTTP traffic or mitigate DDoS attacks at Layer 7. Option C is wrong because Cisco Firepower NGFW is a network firewall that operates primarily at Layers 3 and 4, with some Layer 7 capabilities via IPS, but it is not optimized for web application-specific DDoS mitigation and lacks the granular HTTP inspection and rate-limiting features of a dedicated WAF. Option D is wrong because Cisco Stealthwatch is a network visibility and analytics tool that uses NetFlow/IPFIX to detect anomalies and threats, but it does not actively block or mitigate application-layer DDoS attacks; it is a detection-only solution.

97
MCQhard

An enterprise migrated its e-commerce application to AWS. They use Cisco Secure Workload (Tetration) for microsegmentation. After enabling enforcement, legitimate traffic between the web tier and database tier is being blocked. The security team verified that the policy allows the traffic based on labels. The Tetration console shows the enforcement mode as 'active blocking'. The database server is in a different VPC, and the web server is in a public subnet. The agents are running on both workloads and report correctly. Which configuration step is most likely missing?

A.The cloud connector (e.g., AWS cloud connector) is not configured
B.The enforcement scope does not include the VPC peering connection
C.The application dependency mapping needs to be refreshed
D.The agents on the database server are not running
AnswerA

Cloud connector provides metadata that allows Tetration to understand cloud networking and apply policies correctly across VPCs.

Why this answer

Cisco Secure Workload (Tetration) relies on cloud connectors to synchronize cloud infrastructure metadata (e.g., VPCs, subnets, instances) and enforce microsegmentation policies across VPC boundaries. Without a configured AWS cloud connector, Tetration cannot discover or enforce policies on resources in a different VPC, even if agents are running and labels are correctly assigned. The 'active blocking' enforcement mode indicates the policy is being applied, but the missing connector prevents the policy from being properly mapped to the database server in the separate VPC, causing legitimate traffic to be blocked.

Exam trap

Cisco often tests the misconception that agents alone are sufficient for policy enforcement across VPCs, when in fact the cloud connector is required to bridge the cloud infrastructure metadata gap.

How to eliminate wrong answers

Option B is wrong because the enforcement scope in Tetration is defined by labels and agent groupings, not by VPC peering connections; VPC peering is a network-layer construct that Tetration does not directly manage or require for policy enforcement. Option C is wrong because application dependency mapping is used for visibility and policy recommendation, not for the active enforcement of existing policies; refreshing it would not resolve a connectivity issue caused by a missing cloud connector. Option D is wrong because the question explicitly states that agents are running on both workloads and report correctly, so the agents are not the problem.

98
Multi-Selecthard

Which THREE attributes can be used in an ISE authorization policy based on endpoint identity?

Select 3 answers
A.Certificate subject DN
B.AD user group
C.Time of day
D.Switch IP address
E.Device MAC address
AnswersA, B, E

Subject DN from a client certificate identifies the endpoint or user.

Why this answer

Options A, B, and C are correct because endpoint identity can be based on MAC address, Active Directory user group, or certificate subject DN. Option D is incorrect because switch IP address is a network location attribute, not endpoint identity. Option E is incorrect because time of day is an environmental attribute.

99
MCQeasy

Based on the exhibit, what does the 'Isolated: Yes' status indicate?

A.The connector is disconnected from the cloud and requires a reboot.
B.The connector is in a quarantine mode due to a loss of cloud connectivity.
C.The connector is permanently blocked by a firewall and needs manual reconfiguration.
D.The network component is disabled, preventing network traffic monitoring.
AnswerB

'Isolated' indicates the connector cannot reach the cloud but continues to protect with local rules.

Why this answer

Option B is correct. The 'Isolated' status means the connector is in a temporary state where it cannot communicate with the AMP cloud, but it may still function with cached rules. Option A is incorrect because a disabled network component would show 'Network Component: Disabled'.

Option C is incorrect because the connector is still connected and working in a limited capacity. Option D is incorrect because 'Isolated' does not require manual intervention; it may auto-recover.

100
MCQmedium

A remote user is unable to connect to the corporate VPN using Cisco AnyConnect. The user has internet access and can reach the ASA's public IP. The ASA administrator checks and sees that the remote access VPN configuration is correct. What is the most likely client-side issue?

A.The client is using an outdated version of AnyConnect.
B.The client's DNS is not resolving the VPN hostname.
C.The client's firewall is blocking TCP port 443.
D.The client's certificate is expired or not trusted.
AnswerD

Certificate authentication failure is a common cause when ASA configuration is correct.

Why this answer

The user can reach the ASA's public IP and has internet access, which rules out basic connectivity issues. Since the ASA's VPN configuration is correct, the problem is likely on the client side. A common cause is an expired or untrusted certificate, as AnyConnect uses certificate-based authentication for the SSL/TLS handshake; if the client does not trust the server's certificate or the client's own certificate is expired, the VPN tunnel will fail to establish.

Exam trap

Cisco often tests the distinction between network-layer reachability (IP connectivity) and application-layer authentication (certificate trust), leading candidates to incorrectly choose firewall or DNS issues when the user can already reach the ASA's IP.

How to eliminate wrong answers

Option A is wrong because an outdated AnyConnect version typically causes feature incompatibility or connection failures only if the ASA requires a specific minimum version, but the question states the ASA configuration is correct and does not mention version mismatch; the user can reach the ASA's public IP, so the client is likely running a supported version. Option B is wrong because the user can reach the ASA's public IP directly, meaning DNS resolution is not required for the connection; if the hostname were used, DNS failure would prevent reaching the IP, but the user has already reached the IP. Option C is wrong because TCP port 443 is the default HTTPS port for AnyConnect SSL VPN; if the client's firewall were blocking TCP 443, the user would not be able to reach the ASA's public IP (since HTTPS traffic uses port 443), but the user can reach the IP, indicating port 443 is open.

101
MCQeasy

A security administrator is tasked with implementing a solution that provides single sign-on (SSO) for users accessing multiple enterprise applications. The solution must support SAML 2.0 and integrate with the existing Microsoft Active Directory. Which component is essential for this architecture?

A.Certificate Authority (CA)
B.RADIUS server
C.Identity Provider (IdP)
D.Service Provider (SP)
AnswerC

The IdP authenticates users and generates SAML assertions for SSO.

Why this answer

Option C is correct because an Identity Provider (IdP) is the essential component that authenticates users against Microsoft Active Directory and issues SAML 2.0 assertions to enable single sign-on (SSO) across multiple enterprise applications. The IdP acts as the trusted source of identity, validating credentials and generating signed SAML tokens that Service Providers (SPs) accept without requiring separate logins.

Exam trap

Cisco often tests the distinction between the IdP and SP roles in SAML, and the trap here is that candidates mistakenly choose 'Service Provider' thinking it is the main component for SSO, when in fact the IdP is the central authentication authority that enables SSO across multiple SPs.

How to eliminate wrong answers

Option A is wrong because a Certificate Authority (CA) issues and manages digital certificates for encryption and signing, but it does not perform user authentication or issue SAML assertions, so it is not the core component for SSO with SAML 2.0. Option B is wrong because a RADIUS server provides AAA services for network access (e.g., VPN, wireless) using protocols like EAP, but it does not natively support SAML 2.0 or act as an identity provider for web-based SSO. Option D is wrong because a Service Provider (SP) is the application or resource that consumes SAML assertions to grant access, but it relies on an IdP to perform authentication and generate the assertions, making the IdP essential for the architecture.

102
MCQhard

A network administrator notices that users in the finance department are unable to access a legitimate business web application that uses custom port 8443. The WSA is configured with a decryption policy that decrypts all traffic on port 443. What is the most likely cause of the issue?

A.The decryption policy is not applied to port 8443, so the WSA treats it as non-decrypted traffic which may be blocked by default
B.The WSA is configured with a time-based access rule that only allows access during business hours
C.The WSA cannot decrypt traffic on port 8443, causing a certificate mismatch
D.The web application is blocked by an identity-based access policy
AnswerA

Default access policies often block non-decrypted or non-standard ports unless explicitly allowed.

Why this answer

The WSA's decryption policy is configured to decrypt traffic only on port 443 (HTTPS). Since the finance department's web application uses custom port 8443, the traffic is not subject to decryption. By default, the WSA may block non-decrypted traffic that matches certain security or access policies, or it may treat it as untrusted, leading to access failure.

The most likely cause is that the decryption policy does not cover port 8443, so the WSA applies a default action (often block) to non-decrypted traffic.

Exam trap

Cisco often tests the misconception that decryption policies automatically apply to all HTTPS traffic regardless of port, when in fact they are port-specific and require explicit configuration for non-standard ports.

How to eliminate wrong answers

Option B is wrong because time-based access rules would affect access regardless of port, but the issue is specific to port 8443 not being decrypted, not a time restriction. Option C is wrong because the WSA does not attempt to decrypt traffic on port 8443; it simply does not apply decryption, so no certificate mismatch occurs. Option D is wrong because identity-based access policies would block based on user or group, not specifically due to the port mismatch; the core problem is the decryption policy scope, not identity.

103
Multi-Selecteasy

Which TWO of the following are common causes of email delivery delays in Cisco Email Security Appliance (ESA)? (Select exactly two.)

Select 2 answers
A.Too many recipients in a single message
B.High volume of email in the delivery queue
C.Slow response from the destination mail server during SenderBase reputation check
D.Incorrect MX record for the destination domain
E.Improper SPF record on the sender's domain
AnswersB, C

Causes queuing delays.

Why this answer

Option B is correct because a high volume of email in the delivery queue indicates that the ESA is experiencing a backlog of messages awaiting delivery. This can occur due to rate limiting, transient delivery failures, or a large number of messages being processed simultaneously, which directly causes delays in email delivery as the queue must be drained sequentially.

Exam trap

Cisco often tests the distinction between causes of delays (e.g., queue buildup or slow external responses) versus causes of permanent failures (e.g., incorrect MX records) or authentication issues (e.g., SPF), leading candidates to confuse delivery failures with delays.

104
MCQhard

A company is using Cisco ISE for guest access. They have configured a guest portal with a self-registration page. Some guests report that after registering, they are not redirected to the success page but instead see a '401 Unauthorized' error. What is the most likely cause?

A.The ISE node is not configured for HTTP redirect.
B.The guest portal certificate is not trusted by the client.
C.The central web authentication (CWA) is not enabled on the switch.
D.The authorization policy for guests is missing.
AnswerC

Without CWA, the switch does not redirect HTTP traffic to ISE, causing a 401 unauthorized error.

Why this answer

Option D is correct because for guest portal redirection after authentication, the switch must be configured for central web authentication (CWA). If CWA is not enabled, the switch does not redirect HTTP traffic to the ISE portal, resulting in a 401 error. Option A is incorrect because a certificate trust issue would cause a warning, not a 401.

Option B is incorrect because ISE HTTP redirect is configured as part of the portal. Option C is incorrect because a missing authorization policy would cause a different error, such as 'Access Denied'.

105
MCQmedium

A company wants to implement software-defined segmentation using Cisco ISE and TrustSec. Which component is responsible for assigning the Security Group Tag (SGT) to packets at the ingress?

A.Endpoint with posture agent
B.Firewall with IPS capability
C.Cisco ISE Policy Service Node
D.Cisco Catalyst switch with CTS
AnswerD

Ingress switch classifies and tags packets with SGT.

Why this answer

Option B is correct because a switch with Cisco TrustSec (CTS) capability is responsible for classifying and tagging packets with the SGT at the ingress port. Option A is incorrect because ISE defines the policy but does not tag packets. Option C is incorrect because the endpoint posture agent may report attributes but does not tag.

Option D is incorrect because the firewall enforces policies but is not the primary tagging device at the edge.

106
MCQmedium

A network administrator is troubleshooting why users in the marketing department cannot access a specific cloud storage site through the Cisco WSA. The access policy for marketing is set to 'Monitor' for the File Sharing category, but the site is blocked. What is the most likely reason?

A.Web reputation threshold is set to block the site.
B.The site is mis-categorized as an unknown URL.
C.A more specific identity or policy is applying a block action.
D.URL filtering is disabled for that policy.
AnswerC

For example, a time-based or user-specific policy may override.

Why this answer

The correct answer is C because Cisco WSA applies policies in a hierarchical order, and a more specific identity or policy (e.g., one based on user group, subnet, or time range) can override a broader policy set to 'Monitor'. Even though the marketing department's access policy is configured to monitor the File Sharing category, a more granular rule may explicitly block the cloud storage site, causing the unexpected block.

Exam trap

The trap here is that candidates assume a policy set to 'Monitor' for a category will always allow traffic, forgetting that Cisco WSA's policy evaluation uses a first-match model where more specific policies can override broader ones.

How to eliminate wrong answers

Option A is wrong because the web reputation threshold is a separate security measure that evaluates the risk score of a URL; if it were blocking the site, the action would be based on reputation, not the File Sharing category policy. Option B is wrong because if the site were mis-categorized as an unknown URL, it would fall under the 'Uncategorized URLs' category, not the File Sharing category, and the policy for marketing would need to explicitly handle that category. Option D is wrong because URL filtering being disabled for that policy would mean no category-based actions apply at all, so the site would not be blocked by a category action; instead, it would be allowed or handled by other mechanisms.

107
MCQmedium

An engineer is designing a cloud security solution using Cisco SD-WAN with cloud on-ramp. They want to ensure that traffic to a specific IaaS provider is inspected by the Cisco Umbrella SIG. Which configuration is necessary on the SD-WAN edge?

A.Configure a service insertion policy for the cloud security provider
B.Apply a DNS security policy
C.Set up a site-to-site VPN to the IaaS
D.Enable direct internet access for the branch
AnswerA

Service insertion redirects traffic to the cloud security service for inspection.

Why this answer

To direct specific traffic to Cisco Umbrella SIG for cloud security inspection, you must configure a service insertion policy on the SD-WAN edge. This policy intercepts traffic based on match criteria (e.g., destination IaaS provider IP/subnet) and forwards it to the cloud security service via a secure tunnel (e.g., IPsec or TLS). Without this policy, the SD-WAN edge will not redirect traffic to Umbrella for inspection.

Exam trap

Cisco often tests the distinction between DNS-layer security (Umbrella DNS) and full proxy-based SIG inspection; candidates mistakenly think DNS security alone provides the same traffic inspection as a service insertion policy.

How to eliminate wrong answers

Option B is wrong because DNS security policy only enforces DNS-layer filtering (e.g., blocking malicious domains) but does not redirect traffic to Umbrella SIG for full HTTP/HTTPS inspection. Option C is wrong because a site-to-site VPN to the IaaS provider would send traffic directly to the IaaS without passing through Umbrella SIG, bypassing cloud security inspection. Option D is wrong because enabling direct internet access (DIA) for the branch allows traffic to exit locally without being steered to the cloud security service; DIA alone does not enforce SIG inspection.

108
Drag & Dropmedium

Drag and drop the steps to troubleshoot an IPsec VPN failure where Phase 1 is not completing into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with reachability, then check UDP 500, compare IKE proposals, verify pre-shared keys, and finally use debug for detailed errors.

109
Multi-Selecthard

A company is designing a remote access VPN solution using Cisco ASA with load balancing. Which three features are essential for high availability and redundancy? (Choose three.)

Select 3 answers
A.Failover
B.Object tracking
C.Split tunneling
D.AnyConnect profiles
E.Clustering
AnswersA, B, E

Failover provides active/standby redundancy, ensuring seamless failover if the active unit fails.

Why this answer

Failover is essential for high availability in Cisco ASA remote access VPN solutions. It allows a standby ASA to take over seamlessly if the primary unit fails, maintaining VPN sessions and ensuring uninterrupted remote access. This is achieved through stateful or stateless failover, where configuration and connection state are synchronized between the paired units.

Exam trap

Cisco often tests the distinction between features that provide redundancy (failover, clustering, object tracking) versus features that improve user experience or configuration convenience (split tunneling, AnyConnect profiles), leading candidates to mistakenly select the latter.

110
MCQeasy

An organization is using Cisco Firepower Threat Defense (FTD) with URL filtering to block access to social media sites during work hours. After implementation, users can still access Facebook and Twitter. The access control policy is configured correctly with a URL category condition. What should the administrator verify first?

A.Ensure that SSL decryption is enabled for the relevant traffic.
B.Confirm that the FTD is configured with a DNS policy to perform DNS snooping for URL filtering.
C.Check that the URL filtering rule is above any other permit rules.
D.Verify that the FTD has an updated URL filtering database.
AnswerB

Without DNS snooping, the FTD cannot categorize URLs for HTTPS traffic and relies on IP reputation, which may not be effective.

Why this answer

Option B is correct because Cisco FTD uses DNS snooping to map domain names to IP addresses for URL filtering when SSL decryption is not enabled. Without DNS snooping, the FTD cannot reliably associate traffic with the requested URL category if the traffic is encrypted, leading to bypasses like users accessing Facebook and Twitter despite a blocking rule.

Exam trap

Cisco often tests the misconception that SSL decryption is required for URL filtering on encrypted traffic, but the correct first step is to verify DNS snooping, which provides a lightweight alternative for domain-based filtering without decryption.

How to eliminate wrong answers

Option A is wrong because SSL decryption is not a prerequisite for URL filtering; DNS snooping allows URL filtering to work on encrypted traffic without decrypting it, and enabling SSL decryption is a separate, more resource-intensive step. Option C is wrong because while rule order matters in access control policies, the question states the policy is configured correctly with a URL category condition, so the issue is not rule placement but the FTD's inability to identify the traffic as social media. Option D is wrong because an outdated URL database would cause incorrect categorization (e.g., blocking a site that is not social media), not a complete bypass of the rule; the database update is a secondary check after verifying DNS snooping.

111
Matchingmedium

Match each protocol to its default port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

53

25

161

Why these pairings

These are well-known port numbers for common protocols.

112
MCQmedium

A company is deploying a new ASA firewall in a DMZ design. They need to allow web traffic from the internet to a web server in the DMZ, while also permitting outbound traffic from the DMZ to the internet for software updates. Which access control approach best meets these requirements with minimal risk?

A.Create an ACL that permits all inbound and outbound traffic between DMZ and internet.
B.Create an ACL that permits established connections inbound, and allows HTTP/HTTPS from DMZ to internet with application inspection.
C.Create an ACL that permits inbound web traffic to the DMZ server and permits all outbound traffic from DMZ with no inspection.
D.Create an ACL that permits inbound web traffic to the DMZ server and denies all outbound traffic from DMZ.
AnswerB

Balances security and functionality by inspecting traffic and limiting outbound to necessary services.

Why this answer

Option B is correct because it uses the 'established' keyword to allow return traffic for inbound web connections while explicitly permitting outbound HTTP/HTTPS with application inspection. This minimizes risk by not blindly allowing all outbound traffic, and inspection ensures protocol compliance and stateful tracking.

Exam trap

Cisco often tests the misconception that simply allowing 'established' connections is sufficient for outbound traffic, but the trap here is that the question explicitly requires outbound HTTP/HTTPS for updates, which must be explicitly permitted and inspected, not just allowed as return traffic.

How to eliminate wrong answers

Option A is wrong because permitting all inbound and outbound traffic between DMZ and internet violates the principle of least privilege and creates a massive security risk. Option C is wrong because permitting all outbound traffic from DMZ with no inspection bypasses security controls, allowing potential malware exfiltration or unauthorized protocols. Option D is wrong because denying all outbound traffic from DMZ would prevent the required software updates, failing to meet the requirement.

113
MCQhard

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

A.Configure VPC Endpoints to route traffic through Firepower
B.AWS Traffic Mirroring to send traffic to a Firepower appliance
C.Use AWS Security Groups and log to Firepower
D.Deploy Firepower as a transparent bridge in the subnet
AnswerB

Traffic Mirroring copies packets to Firepower for east-west inspection.

Why this answer

AWS Traffic Mirroring captures and forwards network traffic from Elastic Network Interfaces (ENIs) to a security appliance, such as a Cisco Firepower instance, for inspection. This allows the organization to monitor all traffic between instances within the same subnet without requiring changes to the routing table or placing the Firepower inline, which is not possible in a VPC without a gateway appliance. Option B is correct because Traffic Mirroring is the native AWS feature designed for out-of-band traffic inspection.

Exam trap

Cisco often tests the misconception that you can deploy a transparent bridge or inline firewall within a VPC subnet, but AWS does not support Layer 2 bridging; Traffic Mirroring is the only way to achieve out-of-band inspection for intra-subnet traffic.

How to eliminate wrong answers

Option A is wrong because VPC Endpoints are used to privately connect a VPC to supported AWS services (e.g., S3, DynamoDB) via AWS PrivateLink, not to route inter-instance traffic through a security appliance. Option C is wrong because AWS Security Groups are stateful firewalls that control traffic at the instance level but cannot log traffic to an external appliance like Firepower; they only provide flow logs at the VPC level, not per-packet inspection. Option D is wrong because a transparent bridge deployment requires Layer 2 adjacency and is not supported in an AWS VPC, which is a Layer 3 overlay network; you cannot bridge instances in the same subnet through an external appliance without breaking the VPC's routing architecture.

114
Multi-Selectmedium

Which TWO actions can be configured in a Cisco ESA DLP policy to respond to a violation involving outbound credit card numbers? (Choose two.)

Select 2 answers
A.Deliver the message with a CC to the compliance team
B.Encrypt the message using a secure policy
C.Quarantine the message for review
D.Add a disclaimer that the message is confidential
E.Bounce the message back to the sender
AnswersB, C

Encryption ensures the data is protected even if sent.

Why this answer

Option B is correct because Cisco ESA DLP policies can automatically encrypt outbound messages containing sensitive data like credit card numbers. This ensures that even if the message is intercepted, the content remains protected, which is a common compliance requirement for PCI DSS.

Exam trap

Cisco often tests the distinction between 'notification-only' actions (like CC or disclaimer) and 'enforcement' actions (like encrypt or quarantine), leading candidates to mistakenly select passive options that do not actually prevent data exfiltration.

115
MCQhard

A cloud operations team reports that after enabling Cisco Secure Cloud Analytics (CSCA) for an AWS account, some legitimate traffic is being flagged as suspicious. The team has fine-tuned the ML models but false positives persist. Which additional step should they take?

A.Disable ML-based detection
B.Increase the severity threshold
C.Customize alert rules based on known good behavior
D.Deploy additional sensors in VPC subnets
AnswerC

Whitelists known good traffic to reduce false positives.

Why this answer

C is correct because Cisco Secure Cloud Analytics (CSCA) uses machine learning to establish a baseline of normal traffic behavior. When false positives persist despite fine-tuning ML models, the next logical step is to customize alert rules to explicitly whitelist known good behavior, such as trusted IP ranges or specific application flows. This reduces noise without disabling detection or lowering sensitivity, and it directly addresses the root cause: legitimate traffic that deviates from the baseline but is actually benign.

Exam trap

The trap here is that candidates often confuse 'fine-tuning ML models' with 'adjusting alert thresholds' or 'adding more sensors,' when the correct approach is to use explicit whitelisting via custom alert rules to suppress false positives without compromising detection fidelity.

How to eliminate wrong answers

Option A is wrong because disabling ML-based detection would remove the core anomaly detection capability of CSCA, leaving the environment blind to real threats and defeating the purpose of the deployment. Option B is wrong because increasing the severity threshold would only change the alerting level, not reduce false positives; it might even cause high-severity alerts to be missed for actual attacks. Option D is wrong because deploying additional sensors in VPC subnets would increase visibility into network traffic but does not address the false positive issue; false positives are a tuning problem, not a coverage problem.

116
MCQmedium

An organization requires that all endpoint traffic be verified against a security policy before being forwarded. Which Cisco umbrella solution provides this capability?

A.Cisco AnyConnect
B.Cisco Stealthwatch
C.Cisco Umbrella
D.Cisco Firepower NGFW
AnswerC

Cloud-delivered security for traffic enforcement.

Why this answer

Option B is correct because Cisco Umbrella is a cloud-based security solution that enforces policy for all DNS and IP traffic. Option A is incorrect because Stealthwatch provides network visibility and analytics. Option C is incorrect because Firepower is an NGFW.

Option D is incorrect because AnyConnect is a VPN client.

117
MCQhard

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

A.Check the 'show access-list' output for the hit count.
B.Check the 'show route' output for routing issues.
C.Use the 'capture' command with trace option to see packet flow and drop reason.
D.Check the 'show conn' output for the connection state.
AnswerC

Captures packets and shows the disposition, including drops.

Why this answer

Option C is correct because the 'capture' command with the 'trace' option on Cisco FTD provides a detailed, packet-level analysis of how traffic is processed through the firewall pipeline. It shows each step (e.g., ingress, routing, access control, NAT, egress) and explicitly states the drop reason, such as 'action-drop' due to intrusion prevention, URL filtering, or security intelligence, even when the access control policy appears to allow the traffic. This is the only option that directly identifies the specific cause of a drop in the data path.

Exam trap

Cisco often tests the misconception that 'show access-list hit counts' or 'show conn' can diagnose drops, but the trap here is that FTD has multiple inspection layers (prefilter, SSL, intrusion, file, etc.) beyond the basic access control policy, and only a packet trace can pinpoint which layer caused the drop.

How to eliminate wrong answers

Option A is wrong because 'show access-list' hit counts only indicate whether an access control entry (ACE) was matched, not why traffic is dropped after matching; a hit count does not reveal drops due to deeper inspection features like SSL decryption, file policy, or intrusion policy. Option B is wrong because 'show route' checks routing table entries for destination reachability, but traffic drops on FTD often occur after routing decisions (e.g., at the application layer) and routing issues would typically cause a 'no route' drop, not a silent drop when the policy allows traffic. Option D is wrong because 'show conn' displays the state of established connections (e.g., established, time_wait) but does not show why a new packet was dropped before a connection was created; it is useful for connection state but not for identifying drop reasons in the pre-filter or inspection pipeline.

118
Multi-Selectmedium

Which TWO of the following are valid methods for Cisco ISE to collect endpoint attributes for profiling? (Choose TWO)

Select 2 answers
A.Syslog
B.RADIUS Accounting
C.NetFlow Probe
D.SNMP Polling
E.DHCP Probe
AnswersC, E

NetFlow probe analyzes traffic flows to profile endpoints.

Why this answer

Option C is correct because Cisco ISE can use a NetFlow Probe to collect NetFlow records from network devices, which provide metadata about traffic flows (e.g., IP addresses, ports, protocols) that ISE analyzes to profile endpoints. This passive collection method helps identify endpoint attributes without requiring active agent deployment.

Exam trap

Cisco often tests the distinction between 'RADIUS Accounting' (session tracking) and 'RADIUS Authentication' (profiling probe) — candidates mistakenly assume Accounting is used for profiling, but only Authentication is a valid probe.

119
MCQmedium

A network administrator is configuring Cisco Firepower Threat Defense (FTD) in routed mode to provide intrusion prevention (IPS) for internal traffic. They create an access control rule that allows traffic from the internal network (10.0.0.0/8) to the internet, and they attach an intrusion policy to this rule. After deploying the configuration, they generate known malicious traffic from a test host and observe that no alerts are triggered in the Firepower Management Center (FMC). The administrator checks the FTD and confirms that the Snort process is running, and the rule is at the top of the access control policy with action 'Allow'. What is the most likely cause of this issue?

A.The FTD is configured in transparent mode.
B.The traffic is being fast-pathed and bypassing the Snort engine.
C.The access control rule action is set to 'Allow' rather than 'Allow with Intrusion Prevention'.
D.The intrusion policy is not associated with the correct preprocessor.
AnswerC

IPS inspection requires the rule action to explicitly include intrusion prevention.

Why this answer

In Cisco Firepower Threat Defense (FTD), an access control rule with action 'Allow' permits traffic without sending it to the Snort intrusion inspection engine. To enable IPS, the rule action must be 'Allow with Intrusion Prevention', which explicitly invokes the intrusion policy. Since the rule was set to 'Allow', the malicious traffic bypassed Snort inspection entirely, so no alerts were generated.

Exam trap

Cisco often tests the distinction between 'Allow' and 'Allow with Intrusion Prevention' as a common pitfall, where candidates assume attaching an intrusion policy to any rule automatically invokes Snort inspection.

How to eliminate wrong answers

Option A is wrong because the FTD is confirmed to be in routed mode (as stated in the question), and transparent mode would not cause the Snort process to be running or affect rule action behavior. Option B is wrong because fast-pathing (hardware acceleration) only bypasses Snort for traffic that matches a fast-path rule or is not subject to inspection; here the rule is at the top with action 'Allow', which does not invoke Snort, so it is not a fast-path issue. Option D is wrong because the intrusion policy is correctly attached to the rule; the problem is the rule action itself, not the preprocessor association.

120
MCQmedium

An organization uses Cisco Umbrella to secure remote users. The security team wants to ensure that all DNS queries from endpoints are forwarded to Umbrella even when users are off the corporate network. Which deployment method achieves this?

A.Configure a network-based proxy
B.Use a PAC file to redirect traffic
C.Use BGP injection to advertise Umbrella IPs
D.Deploy the Cisco Umbrella Roaming Client on endpoints
AnswerD

Roaming client ensures off-net DNS forwarding.

Why this answer

The Cisco Umbrella Roaming Client is specifically designed to enforce DNS security on endpoints regardless of their network location. It installs a local DNS forwarder that intercepts all DNS queries and sends them to Umbrella's cloud resolvers, ensuring protection even when users are off the corporate network. This method does not rely on network-level configurations that are ineffective for remote users.

Exam trap

Cisco often tests the distinction between network-level controls (proxy, BGP) and endpoint-level controls (roaming client), leading candidates to incorrectly choose a network-based solution for remote users who are not on the corporate network.

How to eliminate wrong answers

Option A is wrong because a network-based proxy requires traffic to be routed through a central proxy server, which is not feasible for remote users who are not connected to the corporate network. Option B is wrong because a PAC file directs web traffic to a proxy based on URL patterns but does not enforce DNS forwarding to Umbrella; it only affects HTTP/HTTPS traffic, not all DNS queries. Option C is wrong because BGP injection is a routing technique used to influence traffic paths at the network level, typically for on-premises or data center environments, and cannot be applied to individual remote endpoints.

121
MCQmedium

Refer to the exhibit. A Cisco ASA firewall is deployed in a cloud environment. After applying this ACL to an interface, users report that they cannot access cloud instances from on-premises. What is the most likely cause?

A.The ACL allows all traffic but users need NAT
B.The ACL is applied to the wrong interface
C.The ACL blocks all RFC 1918 private addresses, which may include the cloud VPC CIDR
D.The ACL permits only private addresses
AnswerC

Cloud VPCs often use private IP ranges, which are denied.

Why this answer

Option C is correct because the ACL shown in the exhibit (which is not provided but implied by the question) blocks RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Cloud VPCs commonly use these private IP ranges for their instances. If the cloud VPC CIDR falls within an RFC 1918 range, the ACL will deny traffic to those cloud instances, preventing on-premises users from accessing them.

Exam trap

The trap here is that candidates assume RFC 1918 blocks are safe for cloud environments, but cloud VPCs frequently use these private ranges, so blocking them breaks connectivity to cloud instances.

How to eliminate wrong answers

Option A is wrong because NAT is not required for traffic that is already routed correctly; the issue is an ACL blocking traffic, not a lack of NAT. Option B is wrong because the question states the ACL was applied to an interface, and there is no indication it was applied to the wrong interface; the problem is the ACL content, not its placement. Option D is wrong because the ACL does not permit only private addresses; it explicitly denies RFC 1918 addresses, which is the opposite of permitting them.

122
MCQhard

A university is deploying 802.1X authentication for wired access using Cisco ISE. The network consists of Cisco Catalyst switches. The authentication is working for most users, but some users in a specific building are experiencing frequent authentication failures, especially during peak hours. The switches in that building are configured with RADIUS settings pointing to ISE. ISE logs show that authentication requests are being sent but sometimes time out. The network team suspects that the issue is related to RADIUS server load balancing, as the ISE deployment includes two nodes in a distributed model. What is the most likely cause of the timeouts?

A.The RADIUS shared secret is misconfigured on some switches.
B.The switches are not configured with the correct VLAN assignments.
C.The switches are using the wrong RADIUS accounting port.
D.The ISE nodes are not configured for load balancing, causing one node to be overwhelmed.
AnswerD

Without load balancing, all requests may go to one node, causing overload and timeouts during peak times.

Why this answer

Option D is correct because the symptoms—intermittent timeouts during peak hours in a specific building—point to a load-balancing issue. In a distributed ISE deployment, if the switches are not configured with multiple RADIUS server entries or if ISE nodes are not properly load-balanced (e.g., using a single primary server or missing secondary server configuration), one node can become overwhelmed with authentication requests, leading to timeouts. The fact that authentication works for most users but fails during peak hours in one building strongly suggests that the switches in that building are sending all requests to a single ISE node that cannot handle the load.

Exam trap

Cisco often tests the distinction between authentication failures caused by misconfiguration (e.g., shared secret, VLAN) versus performance-related timeouts due to load balancing, tempting candidates to pick a configuration error when the real issue is capacity or distribution.

How to eliminate wrong answers

Option A is wrong because a misconfigured RADIUS shared secret would cause consistent authentication failures for all users on the affected switches, not intermittent timeouts during peak hours. Option B is wrong because incorrect VLAN assignments would result in successful authentication but incorrect network access (e.g., wrong VLAN), not RADIUS timeouts. Option C is wrong because the RADIUS accounting port (typically UDP 1813) is used for accounting messages, not authentication; authentication uses UDP 1812, and a misconfigured accounting port would not cause authentication timeouts.

123
MCQmedium

A company is deploying Cisco ISE to enforce access policies based on endpoint posture. Endpoints must be compliant before being granted full network access. Which policy type is used to define the compliance requirements?

A.Authentication policy
B.Profiling policy
C.Posture policy
D.Authorization policy
AnswerC

Defines compliance requirements.

Why this answer

Option D is correct because Posture policy defines the compliance requirements (e.g., antivirus, patch level) and the remediation actions. Option A is incorrect because Authentication policy determines the method of authentication. Option B is incorrect because Authorization policy determines the resulting access after authentication and posture.

Option C is incorrect because Profiling policy identifies device type.

124
Multi-Selecthard

Which TWO are valid considerations for deploying Cisco Firepower NGIPS with inline mode? (Choose two.)

Select 2 answers
A.Inline mode automatically decrypts SSL traffic without configuration.
B.The IPS engine inspects all traffic regardless of prefilter policies.
C.Inline interfaces can drop malicious packets based on signatures and anomalies.
D.Inline mode requires the use of passive interfaces for failover.
E.Hardware bypass is supported on specific Firepower appliances to ensure network continuity during device failure.
AnswersC, E

Inline mode enables dropping of traffic.

Why this answer

Option C is correct because inline mode in Cisco Firepower NGIPS allows the system to actively drop malicious packets based on signature matches and anomaly detection. Unlike passive monitoring, inline interfaces sit directly in the traffic path, enabling the IPS engine to enforce blocking actions in real time.

Exam trap

Cisco often tests the misconception that inline mode automatically inspects all traffic, but candidates must remember that prefilter policies can bypass the IPS engine entirely, and SSL decryption is never automatic.

125
Multi-Selecthard

Which THREE of the following are common indicators of a DDoS attack at the network layer?

Select 3 answers
A.A spike in UDP traffic to a single target
B.Unusual traffic on non-standard TCP/UDP ports
C.A high number of TCP SYN packets from multiple sources
D.High CPU usage on network devices
E.A sudden increase in ICMP echo request packets from many IPs
AnswersA, C, E

UDP flood is a common network-layer DDoS.

Why this answer

A spike in UDP traffic to a single target is a classic indicator of a UDP flood attack, a common network-layer DDoS. Attackers send a high volume of UDP packets, often to random ports, overwhelming the target's ability to process them and consuming bandwidth. This is a direct Layer 3/4 attack that does not require a completed handshake, making it easy to generate and hard to mitigate without proper filtering.

Exam trap

Cisco often tests the distinction between network-layer (Layer 3/4) and application-layer (Layer 7) indicators, so candidates mistakenly choose 'unusual traffic on non-standard ports' as a network-layer indicator when it is actually a sign of application-layer attacks like HTTP floods or DNS amplification.

126
MCQmedium

Refer to the exhibit. An administrator has configured the router with zone-based firewall rules. Traffic from the DMZ zone to the OUTSIDE zone is being dropped, although traffic from the INSIDE zone to the OUTSIDE zone flows normally. The DMZ zone is configured with security-level 50 and the INSIDE zone with 100. What is the most likely cause of the dropped traffic?

A.The inspect action is not applied to the DMZ traffic class
B.No zone-pair is defined for traffic from DMZ to OUTSIDE
C.The class-default action in the policy-map drops all traffic from DMZ
D.The DMZ has a lower security-level than the INSIDE zone, causing traffic to be implicitly denied
AnswerB

The zone-pair is only defined for source INSIDE to destination OUTSIDE, leaving DMZ traffic without any policy.

Why this answer

The zone-pair is only defined for source INSIDE to destination OUTSIDE, so there is no policy applied to traffic from DMZ to OUTSIDE. The class-default inside the DMZ_OUT_POLICY would drop all traffic, but that policy is not applied to DMZ->OUTSIDE. Option A is correct because the DMZ zone is not included in any zone-pair.

Options B and C are incorrect because security-levels are not used in ZBFW, and the policy-map itself is correct. Option D is incorrect because the inspect action is present for matched traffic.

127
MCQhard

A company uses Microsoft Azure and has deployed Cisco CloudCenter for workload lifecycle management. They also use Cisco Firepower NGFW in Azure. A security analyst notices that the Firepower logs show outbound connections from a workload to an IP address in a known threat feed. The workload is a Linux server that runs a custom application. The analyst checks Azure Network Security Groups (NSGs) and finds that outbound traffic is not restricted. The company's policy requires that all outbound traffic be inspected and logged. The analyst wants to block the specific IP while allowing other outbound traffic. Which action should be taken?

A.Configure the NSG to deny all outbound traffic and then add allow rules for known good destinations.
B.Create a Firepower Access Control policy rule to block traffic to the threat IP and log it.
C.Add a network security group rule to block the specific IP address.
D.Modify the route table to send all outbound traffic through a firewall, bypassing the NSG.
AnswerB

Correct: Firepower can use dynamic threat intelligence to block.

Why this answer

Option B is correct because Cisco Firepower NGFW is the inline security enforcement point in this Azure deployment, and it can inspect and log all outbound traffic. Creating a Firepower Access Control policy rule to block the specific threat IP and log it directly enforces the security policy at the firewall layer, which is the only device capable of deep packet inspection and logging as required by company policy. NSGs operate at Layer 3/4 and cannot inspect application-layer traffic or integrate with threat feeds for granular IP blocking without affecting other traffic.

Exam trap

Cisco often tests the misconception that Azure NSGs can replace a dedicated firewall for outbound traffic inspection and logging, but NSGs lack application-layer visibility and cannot enforce granular threat-feed-based blocking while maintaining required logging.

How to eliminate wrong answers

Option A is wrong because denying all outbound traffic in an NSG and then adding allow rules for known good destinations is overly restrictive, breaks the custom application's ability to communicate with unknown but legitimate destinations, and NSGs cannot perform the required logging and inspection of outbound traffic as mandated by policy. Option C is wrong because Azure NSGs are stateless or stateful at Layer 3/4 only; they cannot inspect application-layer traffic, integrate with threat feeds, or provide the detailed logging required for outbound connections, and blocking a single IP in an NSG would still allow other outbound traffic without inspection. Option D is wrong because modifying the route table to send all outbound traffic through a firewall bypasses the NSG but does not itself block the specific IP; it would require additional firewall rules, and the question asks for a direct action to block the IP while allowing other traffic, not a routing change that could introduce complexity and potential misconfiguration.

128
MCQhard

In a Cisco TrustSec deployment, security group tags (SGTs) are used to represent user and device roles. These tags must be propagated across the network. Which protocol is used to carry SGT information in Ethernet frames?

A.MPLS
B.VXLAN
C.GRE
D.IEEE 802.1Q with SGT encapsulation (Cisco proprietary)
AnswerD

Cisco TrustSec uses SGT over 802.1Q or other L2 methods.

Why this answer

Cisco TrustSec uses SGTs to enforce role-based access control. To propagate SGT information across the network, Cisco developed a proprietary extension to IEEE 802.1Q that embeds the SGT into the Ethernet frame header, specifically using the CMD (Cisco MetaData) field. This allows switches and routers to enforce security policies based on the SGT without requiring additional encapsulation overhead.

Exam trap

Cisco often tests the distinction between standard 802.1Q and the proprietary SGT extension, and the trap here is that candidates may confuse VXLAN's Group Policy ID (GPID) with the native Ethernet frame method, or assume MPLS or GRE are used for SGT transport because they are common encapsulation protocols.

How to eliminate wrong answers

Option A is wrong because MPLS (Multiprotocol Label Switching) is a label-switching mechanism used for traffic engineering and VPNs, not for carrying SGT information in Ethernet frames; TrustSec does not use MPLS for SGT propagation. Option B is wrong because VXLAN (Virtual Extensible LAN) is a network virtualization overlay protocol that encapsulates Layer 2 frames in UDP, but it is not the native method for carrying SGTs in Ethernet frames; while VXLAN can carry group policy information via the Group Policy ID (GPID) field, the question specifically asks for the protocol used in Ethernet frames, which is the Cisco proprietary 802.1Q extension. Option C is wrong because GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets for transport across IP networks, but it is not designed to carry SGT metadata within Ethernet frames.

129
Multi-Selecteasy

Which TWO of the following are valid methods for deploying Cisco Web Security Appliance in a network? (Choose two.)

Select 2 answers
A.Explicit proxy mode
B.VPN concentrator mode
C.DNS proxy mode
D.Transparent proxy mode
E.Bridge mode
AnswersA, D

Clients are configured to use the WSA as proxy.

Why this answer

Explicit proxy mode requires clients to be manually configured to send web traffic directly to the WSA's IP address and port (typically 3128 or 8080). This gives the administrator granular control over which devices use the proxy and allows for authentication at the proxy layer, making it a valid deployment method for the Cisco Web Security Appliance.

Exam trap

Cisco often tests the distinction between 'transparent proxy mode' and 'bridge mode' — candidates mistakenly think the WSA can be deployed as a Layer 2 bridge, but the correct term for inline, non-explicit interception is transparent proxy mode, which relies on traffic redirection rather than bridging.

130
Multi-Selectmedium

Which TWO of the following are valid detection methods used by Cisco AMP for Endpoints to identify malicious activity?

Select 2 answers
A.Exploit Prevention using vulnerability-based rules
B.Heuristic analysis of unknown files
C.File Reputation via cloud lookups
D.Anomaly-based behavioral detection
E.Signature-based IPS scanning
AnswersA, C

AMP Exploit Prevention blocks exploitation techniques.

Why this answer

Options A and C are correct. AMP uses File Reputation (cloud lookups based on SHA256) and Exploit Prevention (to block exploit techniques). Option B (Signature-based IPS) is not a typical AMP feature; AMP uses other methods.

Option D (Anomaly-based behavioral detection) is not standard in AMP; it's more for IDS. Option E (Heuristic analysis) is not a primary AMP detection method.

131
Multi-Selecthard

Which TWO of the following are correct about Cisco Umbrella's multi-layered security approach? (Choose two.)

Select 2 answers
A.Firewall as a Service
B.DNS-layer security
C.IP reputation filtering
D.Proxy-based web inspection
E.Sandboxing for malicious file analysis
AnswersB, D

First layer of defense by blocking requests to malicious domains.

Why this answer

DNS-layer security is a core component of Cisco Umbrella's multi-layered approach. It blocks requests to malicious domains at the earliest stage of the connection, before any IP address resolution occurs, by inspecting DNS queries against threat intelligence feeds. This prevents users from reaching known phishing, malware, or command-and-control (C2) domains.

Exam trap

Cisco often tests the distinction between the core layers of Umbrella's multi-layered security (DNS-layer and proxy-based web inspection) and additional integrated features like sandboxing or IP reputation, which are not considered separate layers in the official architecture.

132
MCQeasy

A security engineer is configuring Cisco WSA to block access to a new social media site that is not in any predefined URL category. Which action should the engineer take to ensure the site is blocked for all users?

A.Disable the URL filtering engine and use only web reputation.
B.Add the URL to the existing Social Networking category.
C.Create a custom URL category with the site and apply a block action in the access policy.
D.Enable Dynamic Content Analysis to detect and block the site.
AnswerC

This directly blocks the site via policy.

Why this answer

Option C is correct because Cisco WSA allows administrators to create custom URL categories for sites not covered by predefined categories. By adding the URL to a custom category and applying a block action in the access policy, the engineer ensures the site is blocked for all users, as access policies evaluate custom categories before predefined ones.

Exam trap

Cisco often tests the misconception that predefined categories are editable or that Dynamic Content Analysis can be used for URL blocking, when in fact custom categories are the only way to handle uncategorized sites in access policies.

How to eliminate wrong answers

Option A is wrong because disabling the URL filtering engine and relying solely on web reputation would not block a specific URL; web reputation scores traffic based on risk, not content categories, and cannot enforce a block for a particular social media site. Option B is wrong because the Social Networking category is a predefined, read-only category in Cisco WSA; you cannot add custom URLs to it, and attempting to do so would require modifying the category definition, which is not supported. Option D is wrong because Dynamic Content Analysis (DCA) inspects web content for malicious patterns, not for blocking specific social media sites; it is designed for threat detection, not URL-based access control.

133
Multi-Selecteasy

Which TWO of the following are required to configure a site-to-site IPsec VPN on a Cisco IOS router?

Select 2 answers
A.ISAKMP policy
B.ACL to define interesting traffic
C.NAT exemption for VPN traffic
D.AAA new-model
E.DHCP pool for remote clients
AnswersA, B

ISAKMP policy is required for IKE phase 1 negotiation.

Why this answer

ISAKMP (Internet Security Association and Key Management Protocol) policy is required to define the parameters for Phase 1 of an IPsec VPN, including encryption, authentication, Diffie-Hellman group, and lifetime. Without an ISAKMP policy, the router cannot establish the secure management tunnel needed to negotiate IPsec Security Associations (SAs).

Exam trap

Cisco often tests the distinction between mandatory and optional components, so the trap here is that candidates may think NAT exemption or AAA is always required, when in fact they are only needed in specific scenarios (e.g., overlapping subnets or centralized authentication).

134
Multi-Selecteasy

Which TWO of the following are features of Cisco TrustSec? (Choose TWO)

Select 2 answers
A.Security Group Tag Exchange Protocol (SXP)
B.Security Group Tag (SGT) assignment
C.IPsec VPN
D.Network Access Control (NAC)
E.802.1X authentication
AnswersA, B

SXP propagates SGTs across network devices.

Why this answer

Security Group Tag Exchange Protocol (SXP) is a Cisco TrustSec feature that propagates Security Group Tag (SGT) bindings between network devices without requiring inline tagging on every packet. It allows devices that do not natively support SGT in hardware to participate in TrustSec by exchanging IP-to-SGT mappings over TCP, enabling consistent policy enforcement across heterogeneous environments.

Exam trap

Cisco often tests the distinction between TrustSec features (SGT assignment and SXP) and supporting technologies like 802.1X or NAC, leading candidates to mistakenly select authentication or access control mechanisms as core TrustSec components.

135
MCQmedium

A university IT team manages 1,000 macOS laptops for students using Cisco AMP for Endpoints. They receive reports that some students' laptops are running slowly and fans are spinning constantly. The team checks the AMP console and sees that these endpoints are performing constant file scans on user directories. The team suspects that the AMP scanning is causing high CPU usage. They want to optimize performance without compromising security. The laptops use the default AMP policy with real-time scanning enabled. What should the team do?

A.Reduce the number of alert notifications to limit AMP's background activity.
B.Increase the file scanning interval to every 30 seconds instead of real-time.
C.Add exclusions for common user data directories in the AMP policy.
D.Disable real-time scanning and rely on scheduled scans.
AnswerC

Reduces scanning of trusted files, lowering CPU usage.

Why this answer

Option D is correct because adding exclusions for known safe folders (like default user document directories) reduces unnecessary scanning. Option A (disable real-time scanning) would leave endpoints vulnerable. Option B (increase scanning interval) is not applicable to real-time scanning.

Option C (reduce notification alerts) does not affect CPU usage.

136
MCQmedium

A security analyst notices that a Cisco Firepower Threat Defense (FTD) device is not applying file policies to detect malware in HTTP traffic. The access control policy has an HTTPS decryption rule that decrypts traffic from external sources. The file policy is associated with the same rule. What is the missing configuration?

A.The file policy is set to 'Detect' but not 'Block' for malware.
B.The HTTP inspection is not enabled in the access control policy's advanced settings.
C.SSL decryption is not configured for the internal network.
D.The URL category is not defined in the file policy.
AnswerB

File policies require the HTTP inspector to be enabled to scan files in HTTP streams.

Why this answer

File policies in Firepower are applied based on network analysis and file inspection. For HTTP traffic, the FTD must have the appropriate inspection engine enabled. Option C is correct because the HTTP inspection profile must be configured to inspect traffic and apply file policies.

Option A is not directly related. Option B is incorrect because decryption is already in place. Option D is unnecessary as file policies work independently of URL filtering.

137
MCQmedium

Refer to the exhibit. A network administrator reviews the ISE live log for a successful 802.1X authentication. After authentication, the user is unable to make VoIP calls. What is the most likely cause?

A.The user's phone is not configured for 802.1X.
B.The RADIUS attribute 'device-traffic-class=voice' is incorrect.
C.The switch port is not configured with 'authentication host-mode multi-domain'.
D.The authorization profile does not include a voice VLAN.
AnswerD

VoIP requires a dedicated voice VLAN; without it, the phone cannot communicate with the call manager.

Why this answer

Option B is correct because the authorization profile 'Standard_Access' likely does not include a voice VLAN assignment, which is required for VoIP traffic. Though the session attributes show 'device-traffic-class=voice', this is a QoS marking, not a VLAN assignment. Option A is incorrect because multi-domain mode is for phones behind PCs, not directly related to VoIP capability.

Option C is incorrect because the user's phone authenticates independently. Option D is incorrect because the attribute is correctly formatted.

138
MCQeasy

A government agency is deploying Cisco ISE with a posture agent to ensure endpoints comply with security policies before accessing the network. The posture policy requires that all Windows computers have antivirus (AV) software running. The engineer configures a condition 'AV installed and running' and binds it to an authorization profile that grants full access if compliant, or quarantine if not. During testing, a computer that has AV installed and running (verified manually) is placed in quarantine. ISE logs show 'Posture - AV condition not satisfied'. The engineer checks the ISE posture configuration: the AV condition uses a default Cisco AV dictionary. What is the most likely cause?

A.The AV vendor is not supported by the ISE default posture dictionary
B.The posture policy is configured to require the AV version as well
C.The client's ISE posture agent is not installed
D.The client's firewall is blocking communication with ISE
AnswerA

ISE's default dictionary includes common AVs; if the vendor is unsupported, the condition cannot be evaluated correctly.

Why this answer

The posture condition uses a dictionary that maps known AV products. If the specific AV brand is not in the Cisco default dictionary, the condition will fail even if AV is running. Option B is correct.

Option A would affect many. Option C would cause other issues. Option D is possible but less likely.

139
MCQmedium

A user in the marketing group reports that they cannot access twitter.com. The access policy summary is shown in the exhibit. What is the most likely reason?

A.The default policy is blocking the site because Marketing-Policy is set to Monitor only.
B.The access policy has a time-based restriction that blocks social media during work hours.
C.The marketing group is not assigned to the Marketing-Policy.
D.The Social Networking category is set to Block in the Marketing-Policy.
AnswerD

The block action overrides the Monitor action for that category.

Why this answer

Option D is correct because the exhibit shows that the Marketing-Policy has the Social Networking category set to Block. Since twitter.com is classified under Social Networking, this action explicitly denies access for users assigned to that policy, overriding any other settings.

Exam trap

Cisco often tests the misconception that a Monitor action in a policy allows traffic, when in fact Monitor only logs traffic without blocking it, but a Block action in the same or a more specific category overrides Monitor for that category.

How to eliminate wrong answers

Option A is wrong because the default policy only applies when no other policy matches; here the Marketing-Policy matches the marketing group, so the default policy is not evaluated. Option B is wrong because the exhibit does not show any time-based restriction; the policy summary lists only category-based actions. Option C is wrong because the question states the user is in the marketing group, and the exhibit implies the Marketing-Policy is applied to that group; if the group were not assigned, the user would fall through to the default policy, not be blocked by a specific category action.

140
MCQmedium

A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?

A.The authorization policy is matching before the posture policy is evaluated.
B.The posture policy is configured with 'continue' action for non-compliant status, allowing the user to proceed to authorization.
C.The posture agent is not installed on the endpoint, so the assessment is skipped.
D.The posture requirement is set to 'mandatory' but the agent is set to 'any', allowing non-compliant devices.
AnswerB

The 'continue' action does not enforce remediation; it passes the user to authorization.

Why this answer

Option B is correct because in Cisco ISE, when a posture policy is configured with a 'continue' action for non-compliant status, the session does not terminate; instead, it proceeds to the authorization policy. This means the endpoint is evaluated by authorization rules, which may grant full network access if no quarantine rule is matched. The logs show the posture assessment passed because the 'continue' action treats non-compliance as a passing state for policy flow, not a failure.

Exam trap

Cisco often tests the distinction between posture policy actions ('continue' vs. 'block') and authorization policy conditions, trapping candidates who assume non-compliance always results in quarantine without considering the policy flow.

How to eliminate wrong answers

Option A is wrong because ISE evaluates posture policies before authorization policies; the authorization policy cannot match before posture is assessed. Option C is wrong because if the posture agent were not installed, the posture assessment would typically result in an 'unknown' or 'not applicable' status, not a 'passed' status, and the logs would reflect that. Option D is wrong because a 'mandatory' posture requirement with an 'any' agent setting would still enforce posture checks; the issue is the action taken on non-compliance, not the requirement or agent type.

141
MCQhard

A global company uses Cisco Umbrella to enforce security policies across roaming users. Recently, a user reported that they could not access a legitimate business application while connected to a guest Wi-Fi at an airport. The application is categorized as 'Productivity' in Umbrella. Other users outside the office can access it. What is the most likely reason?

A.The user's Umbrella roaming client is unable to authenticate, so the request uses the default policy which blocks the category.
B.The application's category is blocked globally in the Umbrella policy.
C.The user is in a different geographic location with a stricter policy.
D.The guest Wi-Fi's public IP address is on a block list.
AnswerA

Identity not resolved, fallback policy applies.

Why this answer

Option D is correct because Umbrella uses identity-based policies; if the roaming security client cannot detect the user identity (e.g., due to no VPN or client failure), the request falls back to the default policy, which might block the category. Option A is wrong because the category is not blocked globally. Option B is wrong because the issue is specific to one user, not location.

Option C is wrong because the guest Wi-Fi has no public IP block.

142
Multi-Selecthard

A cloud security team is deploying Cisco Tetration (Secure Workload) in a hybrid cloud environment. Which three are prerequisites for workload discovery and policy enforcement? (Choose three.)

Select 3 answers
A.Configuration of flow export from network devices
B.Deployment of sensors on all workloads
C.Integration with cloud provider APIs
D.Setup of global enforcement scopes
E.Registration with Cisco Smart Licensing
AnswersB, C, D

Sensors collect flow and process data needed for discovery and enforcement.

Why this answer

B is correct because Cisco Tetration (Secure Workload) relies on sensors installed on each workload to collect granular telemetry, including process, network, and flow data. Without sensors, the platform cannot discover workload dependencies or enforce micro-segmentation policies, as sensors are the primary data source for the agent-based architecture.

Exam trap

Cisco often tests the misconception that flow export from network devices is a core requirement for Tetration, but the platform's sensor-based architecture makes workload-level telemetry the mandatory foundation, with network device exports being optional and supplementary.

143
MCQmedium

A network team is configuring Cisco FTD for a new branch office. They want to allow outbound web traffic but block all inbound traffic except for a specific public server. Which policy type should be used to allow the return traffic for outbound connections?

A.A stateless ACL
B.A stateful access rule
C.A NAT rule
D.SSL decryption
AnswerB

Stateful inspection tracks connections and allows return traffic automatically.

Why this answer

Cisco FTD uses a stateful firewall engine that tracks the state of outbound connections. When a stateful access rule permits outbound web traffic, the firewall automatically creates a dynamic pinhole for the return traffic, eliminating the need for explicit inbound rules. This is the correct policy type because it maintains session state and allows only related return packets, aligning with the requirement to block all other inbound traffic.

Exam trap

Cisco often tests the misconception that a stateless ACL can handle return traffic for outbound connections, but candidates forget that stateless firewalls require explicit inbound permit rules for return packets, whereas stateful firewalls automatically manage this via connection state tracking.

How to eliminate wrong answers

Option A is wrong because a stateless ACL evaluates each packet independently without tracking connection state, requiring explicit inbound rules for return traffic, which would violate the requirement to block all inbound traffic except for a specific public server. Option C is wrong because a NAT rule translates IP addresses but does not inherently permit or deny traffic; it must be paired with an access rule to control flow, and it does not handle stateful return traffic on its own. Option D is wrong because SSL decryption is used to inspect encrypted traffic for threats, not to allow return traffic for outbound connections; it operates on the application layer and does not manage firewall state.

144
Matchingmedium

Match each security technology to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detect and block malicious traffic inline

Monitor and alert on suspicious activity

Control access based on rules

Protect web applications from attacks

Encrypt traffic over public networks

Why these pairings

These are common security technologies and their primary roles.

145
Multi-Selecteasy

Which TWO actions can be taken on a malicious file detected by Cisco AMP for Endpoints?

Select 2 answers
A.Allow the file after a scan
B.Block execution of the file
C.Encrypt the file to prevent harm
D.Delete the file
E.Quarantine the file into a safe location
AnswersB, E

Block prevents the file from running.

Why this answer

Options B and C are correct. AMP can block execution and quarantine the file. Option A is wrong because deleting is not a standard action.

Option D is wrong because encrypting would harm the system. Option E is wrong because allowing is opposite of protection.

146
MCQeasy

An organization wants to enforce granular data loss prevention (DLP) policies for SaaS applications like Google Drive and Salesforce. Which Cisco product provides cloud access security broker (CASB) functionality with DLP capabilities?

A.Cisco Firepower Threat Defense
B.Cisco Umbrella
C.Cisco Stealthwatch
D.Cisco Cloudlock
AnswerD

Cloudlock is a CASB that offers DLP for SaaS apps.

Why this answer

Cisco Cloudlock is the correct answer because it is a cloud access security broker (CASB) that provides granular data loss prevention (DLP) for SaaS applications like Google Drive and Salesforce. It uses API-based inspection to scan data at rest and in motion, applying policies to prevent unauthorized sharing or leakage of sensitive information.

Exam trap

The trap here is that candidates often confuse network-based security tools (like FTD or Umbrella) with cloud-native CASB solutions, assuming that any Cisco security product can enforce DLP for SaaS apps, but only Cloudlock provides the necessary API-level integration for granular control.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall (NGFW) that focuses on network traffic inspection and intrusion prevention, not on API-based DLP for SaaS applications. Option B is wrong because Cisco Umbrella is a DNS-layer security solution for web filtering and threat intelligence, lacking the deep content inspection and DLP capabilities for cloud applications. Option C is wrong because Cisco Stealthwatch is a network visibility and analytics tool that uses NetFlow and behavioral analysis for threat detection, not a CASB with DLP for SaaS data.

147
Multi-Selectmedium

Which THREE of the following are capabilities of Cisco Email Security Appliance (ESA) for content filtering? (Choose three.)

Select 3 answers
A.Intrusion Prevention System (IPS)
B.Anti-spam filtering
C.Zero-day malware protection using sandboxing
D.Anti-virus scanning
E.Data Loss Prevention (DLP)
AnswersB, D, E

ESA uses Cisco's and third-party anti-spam engines.

Why this answer

B is correct because Cisco ESA includes a sophisticated anti-spam filtering engine that uses multiple techniques such as SenderBase reputation, contextual analysis, and signature-based detection to identify and block unwanted email messages. This is a core content security capability of the ESA, operating at the email gateway to filter inbound and outbound traffic.

Exam trap

Cisco often tests the distinction between native ESA capabilities (like anti-spam, anti-virus, and DLP) and optional integrated features (like sandboxing), leading candidates to mistakenly select sandboxing as a core content filtering function.

148
MCQeasy

A network administrator wants to block access to a specific URL category on the Cisco WSA but allow access to all other categories. Which action should be taken in the Access Policy?

A.Set the action to 'Monitor' for the category
B.Set the action to 'Redirect' for the category
C.Set the action to 'Warn' for the category
D.Set the action to 'Block' for the category
AnswerD

Block denies access to the category.

Why this answer

To block access to a specific URL category while allowing all others, the Access Policy must set the action for that category to 'Block'. The Cisco WSA evaluates URL categories in order of precedence, and a 'Block' action explicitly denies HTTP/HTTPS requests matching that category, while all other categories default to 'Allow' unless otherwise configured.

Exam trap

Cisco often tests the distinction between 'Block' and 'Warn' actions, where candidates mistakenly think 'Warn' denies access, but it actually allows access after user acknowledgment, making 'Block' the only true denial action.

How to eliminate wrong answers

Option A is wrong because 'Monitor' logs the traffic but does not block it, allowing access to the category. Option B is wrong because 'Redirect' sends the user to a different URL (e.g., a block page or authentication portal) but does not inherently block access; it can be bypassed or still permit the request depending on configuration. Option C is wrong because 'Warn' displays a warning message to the user but still permits access to the category after the user acknowledges the warning.

149
Multi-Selecthard

Which THREE of the following are common challenges when securing multi-cloud environments? (Choose three.)

Select 3 answers
A.Limited storage capacity in public clouds
B.Reducing cloud infrastructure costs
C.Meeting compliance requirements across jurisdictions
D.Lack of unified visibility across cloud providers
E.Inconsistent security policies between clouds
AnswersC, D, E

Compliance across clouds is a significant challenge.

Why this answer

Option C is correct because multi-cloud environments span multiple jurisdictions with differing data protection laws (e.g., GDPR, CCPA, LGPD). Meeting compliance requirements becomes a challenge as each cloud provider may have different compliance certifications and data residency controls, requiring careful mapping of data flows and contractual agreements to avoid legal penalties.

Exam trap

Cisco often tests the distinction between security challenges and operational/financial challenges, so candidates mistakenly pick options like 'reducing costs' or 'storage capacity' because they sound like common cloud problems, but they are not security-specific.

150
MCQmedium

A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?

A.BYOD Portal
B.Mobile Device Management (MDM)
C.Guest Portal
D.Profiler Service
AnswerC

Guest Portal provides self-service registration and temporary credentials for guests.

Why this answer

C is correct because the Guest Portal in Cisco ISE is specifically designed to provide a self-service registration page where guests can create their own accounts, receive temporary credentials, and gain network access. This portal handles the entire guest lifecycle, including sponsor approval if required, and can deliver the username/password via SMS, email, or on-screen display.

Exam trap

Cisco often tests the distinction between BYOD and Guest portals, and the trap here is that candidates confuse the BYOD Portal (which handles device onboarding with certificates) with the Guest Portal (which handles temporary user credentials for non-employees).

How to eliminate wrong answers

Option A is wrong because the BYOD Portal is used for employees to onboard their personal devices into the corporate network with certificate-based authentication, not for guest self-registration. Option B is wrong because Mobile Device Management (MDM) is an external system that enforces policies on enrolled devices (e.g., compliance checks, remote wipe) and is not a self-service portal for guest credential provisioning. Option D is wrong because the Profiler Service uses passive and active probing techniques (e.g., DHCP, HTTP, SNMP) to identify device attributes like OS or vendor, but it does not provide any user-facing portal for registration or credential delivery.

Page 1

Page 2 of 7

Page 3

All pages